We all know that advanced attackers have the resources, expertise and persistence to compromise any organisation and at any time. Attackers fundamentally understand the nature of classic security technologies and their applications and exploit the gaps between them. They relentlessly drive their attacks home, frequently using tools that have been developed specifically to circumvent the target’s chosen security infrastructure. Once they penetrate the network they go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible indicators of compromise to accomplish their mission.
The challenge for defenders is that traditional security technologies are focused on detecting strong indications of compromise, such as known malware and other threats, but can’t capture or analyse weaker indications of compromise. Plus, these technologies are only able to make a determination at a single point in time. If that one shot at identifying and blocking a threat is missed, most IT security professionals have no way to continue to monitor files once they enter the network and take action if they turn out to be malicious. Eventually they realise a breach has happened, but if you are like most organisations it can take months or even years to discover according to the latest Verizon 2013 Data Breach Investigations Report.
To regain control against stealthy attacks, defenders need a new threat-centric approach to security to address the full attack continuum – before, during and after an attack – with continuous visibility into indicators of compromise and retrospective security to quickly contain and stop the damage. Examples of activities that could indicate compromise include a system attempting to communicate back to a known bad (blacklisted) IP address, trying to access a part of the network, a device or a database it hasn’t before or creating a process that it wouldn’t under typical circumstances. In isolation each of these activities isn’t a detection or prevention event, but when correlated with malware intelligence and other behaviours, even seemingly benign or unrelated, they may suggest a compromise.
To be able to identify indicators of compromise once a threat has entered the network, you need to take a two-tiered approach with tools and processes that combine trajectory capabilities, big data analytics and visualisation to enable the following:
Tier 1
>Automated analysis and response: Identify technologies that use trajectory capabilities to track system-level activities, file origination and file relationships and then leverage big data analytics for root cause and forensic analysis. When combined, these technologies can highlight and pinpoint subtle patterns of behaviours and weak indicators, suggesting a compromise has happened and a breach has most likely occurred. The ability to alert and automatically take action can speed response and help mitigate damage.
Tier 2
>Actionable intelligence: Visualisation technologies are also important so that you can quickly understand the chain of events leading up to and following a possible compromise. This allows you to apply context based on your expertise, perspective and knowledge of activities happening at that moment in your environment to make an even more nuanced determination of suspicious activity and indentify indicators of compromise. If you identify an indicator of compromise you can see what’s occurring across your environment at that moment, look back at preceding events and then control activities that could be risky. If you determine a breach has occurred, by locating the point of origination and understanding the scope of the exposure you can stop the attack and remediate.
While detection and prevention are essential to any security defence strategy, defenders also need the ability to quickly tie together unrelated events to identify a threat that has evaded defences. With decisive insight from trajectory, big data analytics and visualisation capabilities, defenders now can see that blip on the radar, hone in, understand it and take action.